[Bro] Connection History: "connection direction was flipped by Bro’s heuristic"

Dave Crawford bro at pingtrip.com
Fri Apr 21 16:35:18 PDT 2017

What does the caret ("connection direction was flipped by Bro’s heuristic”) in a connections history mean? If the packet in question was spoofed (like the receiving end of a DNS amplification attack) would that trigger Bro’s heuristics?

Below are entries from dns, conn and weird logs for the same event for which I can’t find any indications that it sourced from my network. Additionally, there are no subsequent connection attempts to the IP contained the response packet.

1491285594.163321       CFXfdl4zMQrM2T15Wa      <REDACTED>   57555    53      udp     21705   -       wfuvsrsrwb.www.91duofenxiang[.]com        -       -       -       -       0       NOERROR F       F       F       T       0       193.58.251[.]1    60.000000       F

1491285594.163321       CFXfdl4zMQrM2T15Wa      <REDACTED>   57555    53      udp     dns     -       -       -       SHR     T   ^d       0       0       1       94      (empty) PDC_NSM-4       US      RU

1491285604.163437       CFXfdl4zMQrM2T15Wa      <REDACTED>   57555    53      dns_unmatched_msg       -       F       PDC_NSM-4

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170421/74fdbc24/attachment.html 

More information about the Bro mailing list